RESOLVED FIXED 36083
REGRESSION (r55772-r55834): Crash in JavaScriptCore RegExp code on PowerPC 
https://bugs.webkit.org/show_bug.cgi?id=36083
Summary REGRESSION (r55772-r55834): Crash in JavaScriptCore RegExp code on PowerPC
Kevin M. Dean
Reported 2010-03-12 20:52:25 PST
Created attachment 50651 [details] Crashlog I've crashed 9 times over the last 2 days on various different sites. The google site listed above is just one of them. They all show the same crash information. (Full log as attachment). Thread 0 Crashed: 0 com.apple.JavaScriptCore 0x00609400 __ZL5matchPKtPKhiR9MatchData + 11856 1 com.apple.JavaScriptCore 0x0060a780 jsRegExpExecute(JSRegExp const*, unsigned short const*, int, int, int*, int) + 1216 2 com.apple.JavaScriptCore 0x00612e88 JSC::RegExp::match(JSC::UString const&, int, WTF::Vector<int, 32ul>*) + 568 3 com.apple.JavaScriptCore 0x006254b8 __ZN3JSCL22stringProtoFuncReplaceEPNS_9ExecStateEPNS_8JSObjectENS_7JSValueERKNS_7ArgListE + 3768 4 com.apple.JavaScriptCore 0x00570770 JSC::Interpreter::privateExecute(JSC::Interpreter::ExecutionFlag, JSC::RegisterFile*, JSC::ExecState*, JSC::JSValue*) + 52624 5 com.apple.JavaScriptCore 0x00576b94 JSC::Interpreter::execute(JSC::FunctionExecutable*, JSC::ExecState*, JSC::JSFunction*, JSC::JSObject*, JSC::ArgList const&, JSC::ScopeChainNode*, JSC::JSValue*) + 1140 6 com.apple.JavaScriptCore 0x0059153c JSC::JSFunction::call(JSC::ExecState*, JSC::JSValue, JSC::ArgList const&) + 172 7 com.apple.JavaScriptCore 0x0050f71c JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 156 8 com.apple.WebCore 0x0179b560 WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) + 1968 9 com.apple.WebCore 0x01525390 WebCore::EventTarget::fireEventListeners(WebCore::Event*) + 512 10 com.apple.WebCore 0x014e7008 WebCore::DOMWindow::dispatchEvent(WTF::PassRefPtr<WebCore::Event>, WTF::PassRefPtr<WebCore::EventTarget>) + 440 11 com.apple.WebCore 0x014e7e2c WebCore::DOMWindow::dispatchLoadEvent() + 300 12 com.apple.WebCore 0x01452fdc WebCore::Document::implicitClose() + 716 13 com.apple.WebCore 0x015578e4 WebCore::FrameLoader::checkCompleted() + 180 14 com.apple.WebCore 0x01557ac4 WebCore::FrameLoader::completed() + 148 15 com.apple.WebCore 0x015578f8 WebCore::FrameLoader::checkCompleted() + 200 16 com.apple.WebCore 0x01b25968 WebCore::Loader::Host::didFinishLoading(WebCore::SubresourceLoader*) + 408 17 com.apple.WebCore 0x01d26f9c WebCore::SubresourceLoader::didFinishLoading() + 76 18 com.apple.Foundation 0x92372814 _NSURLConnectionDidFinishLoading + 120 19 com.apple.CFNetwork 0x93d0fd8c URLConnectionClient::_clientDidFinishLoading(URLConnectionClient::ClientConnectionEventQueue*) + 236 20 com.apple.CFNetwork 0x93d10a08 URLConnectionClient::ClientConnectionEventQueue::processAllEventsAndConsumePayload(XConnectionEventInfo<XClientEvent, XClientEventParams>*, long) + 172 21 com.apple.CFNetwork 0x93d10cd8 URLConnectionClient::ClientConnectionEventQueue::processAllEventsAndConsumePayload(XConnectionEventInfo<XClientEvent, XClientEventParams>*, long) + 892 22 com.apple.CFNetwork 0x93d0f500 URLConnectionClient::processEvents() + 132 23 com.apple.CFNetwork 0x93cb9020 MultiplexerSource::perform() + 168 24 com.apple.CoreFoundation 0x953270d0 CFRunLoopRunSpecific + 1104 25 com.apple.HIToolbox 0x90d99b14 RunCurrentEventLoopInMode + 264 26 com.apple.HIToolbox 0x90d99938 ReceiveNextEventCommon + 412 27 com.apple.HIToolbox 0x90d99778 BlockUntilNextEventMatchingListInMode + 84 28 com.apple.AppKit 0x9277d244 _DPSNextEvent + 596 29 com.apple.AppKit 0x9277cbfc -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 112 30 com.apple.Safari 0x0000dbf4 0x1000 + 52212 31 com.apple.AppKit 0x9277689c -[NSApplication run] + 744 32 com.apple.AppKit 0x92747298 NSApplicationMain + 440 33 com.apple.Safari 0x0000302c 0x1000 + 8236
Attachments
Crashlog (35.16 KB, text/plain)
2010-03-12 20:52 PST, Kevin M. Dean 		no flags
Details
The patch (2.27 KB, patch)
2010-03-16 15:55 PDT, Gavin Barraclough 		oliver: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Mark Rowe (bdash)
Comment 1 2010-03-13 13:08:12 PST
*** Bug 36087 has been marked as a duplicate of this bug. ***
Mark Rowe (bdash)
Comment 2 2010-03-13 13:08:16 PST
*** Bug 36086 has been marked as a duplicate of this bug. ***
Mark Rowe (bdash)
Comment 3 2010-03-13 13:08:52 PST
<rdar://problem/7751468>
Gavin Barraclough
Comment 4 2010-03-13 15:47:42 PST
Nothing obvious in this range, will need to test on PPC to find the exact revision causing the problem.
Alexey Proskuryakov
Comment 5 2010-03-13 16:36:25 PST
*** Bug 36090 has been marked as a duplicate of this bug. ***
Alexey Proskuryakov
Comment 6 2010-03-15 20:34:41 PDT
*** Bug 36126 has been marked as a duplicate of this bug. ***
Gavin Barraclough
Comment 7 2010-03-16 15:55:30 PDT
Created attachment 50848 [details] The patch The problem is a bug in our port of PCRE - that a read may take place from the first character in an empty string. For the time being, revert to using a valid pointer in the data segment rather than an invalid non-null pointer into the zero-page for the empty string's data pointer. A better fix for this will be to remove PCRE.
Oliver Hunt
Comment 8 2010-03-16 15:57:20 PDT
Comment on attachment 50848 [details] The patch r=me
Darin Adler
Comment 9 2010-03-16 15:57:31 PDT
Comment on attachment 50848 [details] The patch > +// FIXME: This works around a bug in our port of pcre, that a regular expression run on the empty string > +// may still perform a read from the first element, and as such we need this to be a valid pointer. > +// No code should ever be reading from a zero length string, so this should be able to be a non-null > +// pointer into the zero-page. Replace this with 'reinterpret_cast<UChar*>(static_cast<intptr_t>(1))' > +// once PCRE goes away. We don't format our comments this way. The subsequent lines go under FIXME, not indented. Also, once space after a period. Also, call it PCRE the first time, not pcre. > +static UChar emptyUCharData = 0; This can go inside the function instead out outside at file level.
Gavin Barraclough
Comment 10 2010-03-16 16:15:49 PDT
Fixed in r56092.
Note You need to log in before you can comment on or make changes to this bug.